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DETAILED ACTION 

1. A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible 
for continued examination under 37 CFR 1 . 1 14, and the fee set forth in 37 CFR 1 . 1 7(e) has 
been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 
CFR 1.114. Applicant's submission filed on 1/17/2007 has been entered. Claims 1, 12-14, 20 
and 30 have been amended. Claims 1-9 and 12-35 are pending. 

Response to Arguments 

2. Applicant's arguments with respect to claim 1-9 and 12-35 have been considered but are 
moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC § 101 

3. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

4. Claims 1-9 and 12-35 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non-statutory subject matter. 

5. Claims 1 , 20 and 30 are directed to an intrusion detection system. The examiner 
respectfully asserts that the claimed subject matter does not fall within the statutory classes 
listed in 35 USC 101. The claimed steps do not result in a tangible result (i.e., comparing 
classified packets does not constitute a tangible result). Claims 1, 20 and 30 are rejected as 
being directed to an abstract idea (i.e., producing non-tangible result) [tangible requirement 
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does require that the claim must recite more than a 101 judicial exception, in that the process 
claim must set forth a practical application of that 101 judicial exception to produce a real-world 
result, Benson, 409 U.S. at 71-72, 175 USPQ at 676-77]. Claims 2-9, 12-19, 21-29 and 31-35 
depend from claims 1 , 20 and 30 and are rejected under the same rationale. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claim 1, 3-9, 13-19, 30 and 31-35 are rejected under 35 U.S.C. 103(a) as being * 
unpatentable over Vaidya US 6,279,113 B1 in view of McRae US 6,970,462 B1. 

7. As per claims 1 and 30, Vaidya teaches a method for detecting intrusion on a network, 
comprising: 

storing signature profiles identifying patterns associated with network intrusion in a 
signature database [column 3, lines 27-38 and column 6, lines 35-42]; 

generating classification rules based on said signature profiles [column 3, line 65 - 
column 4, line 8]; 

receiving data packets transmitted on the network [column 6, lines 60-68]; 

classifying data packets having corresponding classification rules according to said 
generated classification rules [column 6, line 57 - column 7, line 10]; 

forwarding said classified packets to a signature engine for comparison with signature 
profiles [column 6, lines 63 - column 7, lines 5 and column 7, lines 11-21]. Vaidya further 



Application/Control Number: 10/092,179 Page 4 

Art Unit: 2135 

teaches classifying data packets according to classification rules [column 6, line 57- column 7, 
line 10] and performing a table lookup to select an action to be performed on said classified 
packet based on the classification, wherein one of the action is comparing said classified packet 
to at least a subset of the signature profiles (i.e., accessing the attack signature profile set and 
determining if the packet is associated with a network intrusion). Vaidya is silent on carrying out 
the classification by a first classification stage capable of classifying the data packets and a 
second classification stage capable of classifying the data packets received from the. first 
classification stage. However, classification of data packets with multi-level stages is well known 
in the art, which has the advantage of enhancing the performance and efficiency of the system. 
For example, McRae teaches carrying out classification by a first classification stage capable of 
classifying the data packets on a first set of packet characteristics and a second classification 
stage capable of classifying the data packets received from the first classification stage based 
on a second set of characteristics [column 5, lines 24-59 and column 8, lines 62-column 9, lines 
6]. McRae further teaches performing a table lookup to select an action to be performed on a 
classified packet based on a classification, wherein one of the action is comparing said 
classified packet to at least a subset of the signature profiles [column 5, lines 24-59 and column 
8, lines 62-column 9, lines 6]. Therefore, it would have been obvious to one having ordinary skill 
in the art at the time of applicant's invention to employ the teachings of McRae within the 
system of Vaidya in order to enhance the performance and efficiency of the system. 

8. As per claims 3-9, Vaidya further teaches classifying said packets according to at least 
one packet field into groups [column 9, lines 46-61 and column 7, lines 2-21]. 
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9. As per claims 13 and 14, Vaidya further teaches performing a table lookup to select an 
action to be performed on said packet based on its classification [column 7, lines 2-1 1 and 
column 9, lines 27-35]. Furthermore, McRae teaches performing a table lookup to select an 
action to be performed on said packet based on its classification [column 5, lines 24-59]. 

10. As per claims 15 and 16, Vaidya further teaches partitioning signatures into disjoint 
groups to define subsets of signature profiles [column 6, lines 27-42]. 

11. As per claims 1 7-1 9, Vaidya further teaches filtering received packets and capturing 
packets at a network analysis device [column 8, lines 40-55]. 

12. As per claim 31 , McRae further teaches the method wherein the first set of packet 
characteristics includes at least one of a destination address, a protocol type and a destination 
port number [column 5, lines 24-59]. 

13. As per claim 32, McRae further teaches the method wherein the second set of packet 
characteristics includes at least one of packet type and a size [column 3, line 60-column 4, line 
15]. 

14. As per claims 33 and 34, McRae further teaches the method wherein only the second 
classification stage remains in communication with a flow table for identifying an action to be 
taken with respect to the data packets [column 5, lines 24-59]. 
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15. As per claim 35, Vaidya further teaches the method wherein the classification rules are 
generated after filtering the data packets [column 3, line 65 - column 4, line 8]. 

16. Claims 20-29 are rejected under 35 U.S.C. 103(a) as being unpatentable over by 
Copeland, III US Pub. 2002/0144156 A1 (hereinafter Copeland) in view of McRae US 6,970,462 
B1. 

17. As per claim 20, Copeland teaches an intrusion detection system comprising: 

a signature classifier comprising a classifier operable to classify packets according to at 
least one packet field into groups [paragraph 0139, 0140 and 0165]; 

a flow table configured to support table lookups of actions associated with classified 
packets [paragraphs 0148, 0149]; 

a signature database for storing signature profiles identifying patterns associated with 
network intrusion [paragraphs 0020, 0153-0155]; and 

a detection engine operable to perform a table lookup at the flow table select an action 
to be performed on said packet based on its classification, wherein comparing said packets to at 
least a subset of the signature profiles is one of the actions [paragraphs 0157 -0159 and 0163- 
0165]. Furthermore, Copeland teaches classifying data packets according to data packet 
information [paragraph 0139, 0140 and 0165]. Copeland is silent on a classifier comprising a 
first stage classifier operable to classify packets according to at least one packet field into 
groups and a second stage classifier operable to classify said packets within each of the groups 
according to packet type or size. . However, classification of data packets with multi-level stages 
is well known in the art, which has the advantage of enhancing the performance and efficiency 
of the system. For example, McRae teaches carrying out classification by a first classification 
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stage capable of classifying the data packets on a first set of packet characteristics and a 
second classification stage capable of classifying the data packets received from the first 
classification stage based on a second set of characteristics [column 5, lines 24-59 and column 
8, lines 62-column 9, lines 6]. McRae further teaches performing a table lookup to select an 
action to be performed on a classified packet based on a classification, wherein one of the 
action is comparing said classified packet to at least a subset of the signature profiles [column 
5, lines 24-59 and column 8, lines 62-column 9, lines 6]. Therefore, it would have been obvious 
to one having ordinary skill in the art at the time of applicant's invention to employ the teachings 
of McRae within the system of Copeland in order to enhance the performance and efficiency of 
the system. 

18. As per claims 21 and 22, Copeland teaches the system further comprising a data 
monitoring device having a capture engine operable to capture data passing through the 
network and configured to monitor network traffic, decode protocols, and analyze received data 
[paragraph 0137]. 

19. As per claim 23, Copeland further teaches a parser operable to parse, generate and 
load signatures at the detection engine [paragraphs 0142-0146]. 

20. As per claims 24, Copeland further teaches the system comprising an alarm manager 
operable to generate alarms [paragraphs 0162-0164]. 

21 . As per claims 25 and 26, Copeland further teaches a filter configured to filter out packets 
received at the intrusion detection system [paragraphs 0139-0141]. 
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22. As per claim 27, Copeland further teaches the flow table is a hash table [paragraphs 
0149-0150] 

23. As per claims 28 and 29, Copeland further teaches action options listed in the flow table 
include dropping the packet and generating an alarm [paragraph 0165]. 

24. Claims 2 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable overVaidya 
US Patent 6,279,113 in view of McRae et al. US Patent 6,567,408 B1 and further in view of 
Copeland US Pub. 2002/0144156 A1. 

25. As per claims 2 and 12, Vaidya-McRae teach the method as applied to claim 1 above. 
Vaidya-McRae is silent on the method comprising dropping data packets without corresponding 
classification rules. However, Copeland teaches an intrusion detection system including 
dropping data packets without corresponding classification rules [paragraph 0165]. Both Vaidya- 
McRae and Copeland teach a network intrusion detection system. It would have been obvious 
to one having ordinary skill in the art at the time of applicant's invention to employ the teachings 
of Copeland within the system of Vaidya-McRae in order to enhance the security of the system. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Beemnet W. Dada whose telephone number is (571) 272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may. be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Beemnet W Dada 
February 16, 2007 . 




/KIM VU - im 
SUPEWteOW PATENT EXAMINER 



